Skip to main content
GET
/
v1
/
b2b
/
sessions
/
jwks
/
{project_id}
C#
// GET /v1/b2b/sessions/jwks/{project_id}
const stytch = require('stytch');

const client = new stytch.B2BClient({
  project_id: '${projectId}',
  secret: '${secret}',
});

const params = {
  project_id: "${projectId}",
};

client.Sessions.GetJWKS(params)
  .then(resp => { console.log(resp) })
  .catch(err => { console.log(err) });
{
  "keys": [
    {
      "kty": "<string>",
      "use": "<string>",
      "key_ops": [
        "<string>"
      ],
      "alg": "<string>",
      "kid": "<string>",
      "x5c": [
        "<string>"
      ],
      "x5tS256": "<string>",
      "n": "<string>",
      "e": "<string>"
    }
  ],
  "request_id": "<string>",
  "status_code": 123
}

Key rotation

Within the JWKS, the JSON Web Keys are rotated every ~6 months. Upon rotation, new JWTs will be signed using the new key, and both keys will be returned by this endpoint for a period of 1 month. JWTs have a set lifetime of 5 minutes, so there will be a 5 minute period where some JWTs will be signed by the old keys, and some JWTs will be signed by the new keys. The correct key to use for validation is determined by matching the kid value of the JWT and key. If you’re using one of our backend SDKs, the JSON Web Key rotation will be handled for you. If you’re using your own JWT validation library, many have built-in support for JWK rotation, and you’ll just need to supply this API endpoint. If not, your application should decide which JWK to use for validation by inspecting the kid value. Learn more about JWTs and session tokens here.

Authorizations

Authorization
string
header
required

Basic authentication header of the form Basic <encoded-value>, where <encoded-value> is the base64-encoded string username:password.

Path Parameters

project_id
string
required

The project_id to get the JWKS for.

Response

Successful response

keys
object[]
required

The list of JWKs associated with the project.

request_id
string
required

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

status_code
integer<int32>
required

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.